Layton City   search site  
Home Do Business Live & Work Play Departments Services & Payments Contact Us Follow Layton City Twitter Like Us on Facebook
   
  Skip Navigation Links Home Departments Management Services Human Resources City Policy
  Management Services
 

Layton City Policy

Personnel Policy Manual

Back To Title List | Chapter List | Section List

1113 - HIPAA Privacy Policies and Procedures

                                                 Section I—Introduction

 

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services (HHS) has adopted regulations called Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule).  The Privacy Rule establishes various requirements for Covered Entities regarding the protection of each individual’s Protected Health Information or PHI.  It limits the ways in which Covered Entities and their Business Associates may use and/or disclosure an individual’s PHI. 

 

The Layton City Partially Self-Funded Group Health Plan, Flexible Spending Plan, Vision Service Plan and Employee Assistance Plan are Covered Entities and are hereinafter collectively referred to as the Layton City Group Health Plan (the Plan). These privacy policies and procedures govern the Plan’s use and disclosure of PHI, and are intended to comply with the requirements of HIPAA and the Privacy Rule.

Section II—Definitions

 

Business Associate is someone who, on behalf of a Covered Entity, performs or assists in performing a function of activity involving the use or disclosure of PHI.  City employees are not Business Associates.

 

Covered Entity/Covered Entities are:  health plans, health care providers, and health care clearinghouses.   The Plan is a Covered Entity.

 

De-Identified Information is formerly Protected Health Information that no longer identifies an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

 

Designated Record Set is a group of records maintained by or for the Plan including enrollment, payment, claims adjudication and health plan case or medical management records systems, and any other records that may be used by or for the Covered Entity to make health care decisions about individuals.

 

HIPAA is the Health Insurance Portability and Accountability Act of 1996.

 

HHS is the U.S. Department of Health and Human Services.

 

Personal Representative is the person authorized by law to act on the individual’s behalf with respect to the individual’s PHI, for example, for the purpose of discussing the individual’s health care claims with Plan representatives.

 

Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information adopted by HHS.

 

Plan Sponsor is Layton City Corporation.

 

Privacy Official is the individual responsible for the development and implementation of the Plan’s privacy policies and procedures.  The Plan’s Privacy Official is the Plan Sponsor’s Assistant City Manager/Management Services Director.

 

Protected Health Information (PHI) is information that a Covered Entity (the Plan) or one of its Business Associates creates or receives that identifies an individual or could be used to identify an individual and describes the individual’s physical or mental health, health care, or payment for health care.

 

Required By Law means a legal requirement to use or disclose PHI that is enforceable in a court of law.  It includes, but is not limited to, valid court orders, warrants, subpoenas and summons.

 

Summary Health Information is information that may be individually identifiable and that summarizes the claims history, claims expenses, or type of claims experienced by individuals under the Plan and which has been De-identified, except that geographic information need only be aggregated to the level of a five digit zip code.

 

Section III—Uses and Disclosures of Protected Health Information

 

A.     For Payment and Health Care Operations

 

1.       Policy.  Under the Privacy Rule, Plan representatives are permitted to use and disclose PHI in order to perform the functions, activities, or services necessary to operate the Plan (also known as payment and health care operations).

 

2.       Procedure.  The Plan’s representatives may use and/or disclosure PHI for payment and health care operations, subject to:  (a) the minimum necessary standard, as described in Subsection H below; and (b) the safeguards set forth in Section IV.

 

3.       Examples.  The following list illustrates types of permitted Plan activities that may involve the use or disclosure or PHI.  It is not exhaustive; rather, is intended to confirm permissible activities that may include the use and/or disclosure of PHI, subject to the requirements described in Subsection A.2 above.

 

Accounting, Auditing, Appeals, Check Production, Claims Adjudication, Coordination of Benefits, Customer Service, Data Analysis, Electronic Data Interchange (EDI), Eligibility, Enrollment, Quality Assurance, Reporting, Repricing, Stoploss, Subrogation and Utilization Review.

 

B.      Business Associates


1.       Policy.  The Plan may disclose PHI to its Business Associates, and those Business Associates may also receive or create other PHI on behalf of the Plan.  The Privacy Rule requires the Plan to obtain satisfactory assurances from its Business Associates that they will appropriately safeguard the PHI they receive or create on behalf of the Plan.  The Plan will not disclose PHI to a Business Associate, or allow the Business Associate to create or receive PHI on its behalf unless the Business Associate has provided the appropriate assurances in the form of a Business Associate agreement that contains the elements required by the Privacy Rule.

2.       Procedure.  The Privacy Official is responsible for implementing this policy and will maintain a list of the Plan’s Business Associates and copies of the corresponding Business Associate agreements.

 

C.     Other Covered Entities

 

Under the Privacy Rule, Plan representatives may use and disclose PHI to other Covered Entities in the following circumstances:
1.       To a health care provider for its treatment activities;
2.       To another Covered Entity or health care provider for its payment activities;
3.       To another Covered Entity for its health care operations or for its health care fraud and abuse detection or compliance, if the Covered Entity has or had a relationship with the individual who is the subject of the PHI, and the PHI pertains to that relationship.

 

D.     As Required By Law and Other Specific Circumstances Listed in the Privacy Rule

 

1.       Policy.  The Privacy Rule specifies a number of other specific circumstances under which the Plan may use and disclose an individual’s PHI, including:  as Required By Law; for  certain public health activities; if Plan representatives reasonably believe that an individual is the victim of abuse, neglect or domestic violence; for certain health oversight activities; in the course of administrative or judicial proceedings; to law enforcement officials; to prevent a serious threat to health or safety; to authorized military or other federal officials for certain specialized governmental functions, for example, national security activities; with respect to inmates of correctional institutions; as necessary to comply with Workers Compensation laws; and to family members, other relatives, and close personal friends when directly relevant to the person’s involvement in the individual’s care or payment for care.

2.       Procedure.  All requests or proposals for uses and/or disclosures under one of these specific circumstances listed in the Privacy Rule will be evaluated by the Privacy Official, who will be responsible for ensuring that any such uses or disclosures satisfy the specific requirements applicable to that use or disclosure under the Privacy Rule.   The Privacy Official will keep a complete record of all such uses and disclosures.

 

E.      To De-Identify Protected Health Information

 

1.       Policy.  Authorized Plan representatives may use PHI in order to create De-identified Information. De-identified Information is no longer subject to the requirements of the Privacy Rule or these policies and procedures.

2.       Procedure.  PHI may be de-identified by removing all identifying numbers, characteristics and codes, including those specified in the Privacy Rule.  The Privacy Official—or the designated representative of the applicable Business Associate if the de-identification is being performed by a Business Associate—will be responsible for determining that PHI has been successfully de-identified.

 

F.      To the Plan Sponsor

 

1.       Policy.  The Plan may disclose the following information to the Plan Sponsor:
a)       Summary Health Information.  The Plan may disclose Summary Health Information to the Plan Sponsor if the Plan Sponsor requests the Summary Health Information for the following purposes:

i)        Obtaining premium bids from health insurers for providing health insurance coverage under the Plan; or

ii)      Modifying, amending, or terminating the Plan.

b)      Enrollment/Disenrollment Information.  The Plan may disclose to the Plan Sponsor information on whether an individual is participating in the Plan, or is enrolled or disenrolled from the Plan.
c)      PHI for Plan Administrative Functions.  The Plan may also disclose Protected Health Information to the Plan Sponsor in order for the Plan Sponsor to carry out plan administrative functions, but only if the Plan Sponsor certifies that it:

i)        Agrees to protect the privacy of the information and not use it for employment-related actions or decisions or in connection with any other benefit plan of the Plan Sponsor; and

ii)       Has amended its plan documents to incorporate the provisions required by the Privacy Rule and agrees to comply with those provisions.

 

2.            Procedure.  Except as provided in Subsection III.F.1.a. and b. above, prior to disclosing PHI to the Plan Sponsor, the Plan must be provided with a copy of the certification described in Subsection III.F.c above.  The Privacy Official will maintain a copy of such certification. 

 

G.     With an Individual’s Authorization

 

1.       Policy.  Other than as described above in Subsections III.A through III.F, the Plan will not use or disclose PHI without a valid authorization from the individual whose PHI is to be used or disclosed.
2.       Procedures.  All Plan representatives must comply with the following procedures regarding authorizations.
a)       Authorization Form.  Plan representatives may use or disclose PHI if and to the extent authorized in a properly completed copy of an authorization form that satisfies the requirements of the Privacy Rule.
b)      Retention.  The Plan will retain an authorization for at least six years from the date that the authorization expired.
c)      Refusal.  The Plan will not honor an authorization where there is reasonable doubt or question about the:

i)        Identity of the individual presenting the authorization;

ii)      Status of the Personal Representative of a minor, deceased, or incompetent individual;

iii)     Legal age of the individual or status as an emancipated minor;

iv)    Individual’s capacity to understand the meaning of the authorization;

v)      Authenticity of the individual's signature; or

vi)    Current validity of the authorization.

 

When the Plan refuses an authorization, the Privacy Official will send a letter to the individual indicating why the refusal was made.

 

d)      Revocation.  An individual may revoke an authorization by providing a written statement to the Plan.  The revocation will become effective when it is received by the Plan.

 

H.     The Minimum Necessary Standard

 

1.       Policy.  When using or disclosing PHI or when requesting PHI from another Covered Entity, the Plan will make reasonable efforts to limit its use, disclosure or request of PHI to the minimum extent necessary to accomplish the intended purpose of the use, disclosure, or request.

2.       Exceptions.  This minimum necessary standard does not apply to:

 

a)       Disclosures to or requests by a health care provider for treatment purposes;

b)      Uses or disclosures made to the individual or the individual’s Personal Representative;

c)      Uses or disclosures made with an individual’s authorization;

d)      Disclosures made to the Secretary of HHS in order to comply with the requirements of the Privacy Rule;

e)       Uses or disclosures that are Required By Law; and

f)       Uses or disclosures that are required to comply with the Privacy Rule.

 

3.            Procedures. 

 

a)       Uses of PHI.  The following classes of persons who perform Plan administrative functions may need access to the specified categories of records that may contain PHI in order to carry out their duties:

 

Assistant City Manager/Management Services Director

—Enrollment and disenrollment records

—Benefit claims, Explanations of Benefits (EOBs) and related claims documentation

—Case management reports and records

—Financial reports and records

—Stop-loss claims and reports

—Appeals and associated documentation

—Other categories of PHI as necessary to perform the functions of the Privacy Official specified in these policies and procedures.    

 

 

Human Resources Officer

Human Resources Analyst

Human Resources Secretary

—Enrollment and disenrollment records

—Benefit claims, Explanations of Benefits (EOBs) and related claims documentation

—Case management reports and records

—Financial reports and records

—Stop-loss claims and reports

—Appeals and associated documentation

 

Finance Director

Accountants

Payroll Clerk

—Financial reports and records

—Stop-loss claims and reports

—Payroll deduction and W-2 reporting

 

City Manager

City Attorney

Assistant City Attorney

—Appeals and associated documentation

—Abuse or criminal prosecution

 

    

The access of these persons to PHI will be limited to the categories of records specified, and then only to the extent necessary to carry out their duties on behalf of the Plan.

 

b)      Disclosures of PHI. 

 

The only disclosures of PHI made by the Plan on a routine and recurring basis are performed by the Plan’s Business Associates and the Plan’s other Representatives who interface with the Business Associates, for example, in order to assist Plan participants resolve benefit claims-related issues.  The privacy policies and procedures of each Business Associate, as well as the limitations in the applicable Business Associate Agreements, will govern the Business Associates in such situations.  The Plan’s other representatives, including those listed in Subsection H.3.a. above, will only disclose to the applicable Business Associate the level of PHI reasonably necessary to resolve the participant’s claims-related issue.

 

i)        No other disclosures will be made unless the Privacy Official determines that the following criteria apply:

—the purpose of the disclosure is explicitly stated;

—the purpose for which the PHI is to be disclosed cannot reasonably be accomplished with de-identified information;

—the categories of PHI to be disclosed are reasonably limited to those necessary to accomplish the purpose of the disclosure;

—the range of data within each category of PHI is reasonably limited by appropriate parameters (relevant dates or codes); and

—the disclosure otherwise complies with these policies and procedures and the requirements of the Privacy Rule.    

 

ii)      The Plan may reasonably rely on a requested disclosure as the minimum necessary for the stated purpose when:

—making disclosures to public officials that are permitted under the Privacy Rule if the public official represents that the information requested is the minimum necessary for the stated purpose;

—the information is requested by another Covered Entity;

—the information is requested by a professional who is a member of the Plan’s workforce or is a Business Associate of the Plan, if the professional represents that the information requested is the minimum necessary for the stated purpose(s).

 

c)      Requests for PHI. 

 

i)        The only requests for PHI made by the Plan on a routine and recurring basis are performed by the Plan’s Business Associates and the Plan’s other Representatives who interface with the Business Associates, for example, in order to assist Plan participants resolve benefit claims-related issues.  The privacy policies and procedures of each Business Associate, as well as the limitations in the applicable Business Associate Agreements, will govern such situations.  The Plan’s other representatives, including those listed in Subsection H.3.a. above, will only request PHI from the participant the level of PHI reasonably necessary to resolve the participant’s claims-related issue.

 

ii)      No other requests will be made unless the Privacy Official determines that the following criteria apply:

—the purpose of the request is explicitly stated;

—the purpose for request for PHI cannot reasonably be accomplished with de-identified information;

—the categories of PHI requested are reasonably limited to those necessary to accomplish the purpose for which the request is made;

—the range of data within each category of PHI is reasonably limited by appropriate parameters (relevant dates or codes); and

—the request otherwise complies with these policies and procedures and the requirements of the Privacy Rule.    

 

 

Section IV—Safeguards

 

The Plan will institute appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.  At a minimum, the Plan will: reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of these policies and procedures; reasonably limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure; and take reasonable steps to verify the identity and authority of persons or entities to receive PHI prior to disclosing PHI to such persons or entities.

Plan representatives will comply with the following specific guidelines:

·         Keep paper documents and electronic media in secure areas (e.g., locked filing cabinets) when not in use;

·         Restrict access to document or data storage areas to authorized users only;

·         Do not use PHI outside of City facilities unless reasonably necessary;

·         If using PHI outside of City facilities, take precautions not to display PHI to non-authorized persons;

·         Use containers and envelopes for physical transportation of records or other media from one location to another;

·         Limit verbal communication of PHI to protect against incidental disclosure;

·         Use only secure means, e.g., encrypted e-mail, to transmit PHI electronically;

·         Use a fax cover sheet that contains a confidentiality notice;

·         Do not leave documents containing PHI at copy or fax machines unattended.

 

Section V—Individual Rights

 

The Privacy Rule requires the Plan to provide individuals certain rights with respect to their PHI.  The Plan’s third-party administrators/insurers have agreed to handle all requests from individuals with respect to the PHI that they maintain in their Designated Record Sets.  The Plan will implement the following policies and procedures in order to comply with requests from individuals with respect to PHI, if any, other than that maintained by the above named TPAs/insurers.  

 

A.      The Right to Inspect and Copy PHI in a Designated Record Set

 

1.       Policy.  Individuals (and their Personal Representatives) will be provided the right to inspect and/or obtain a copy of PHI about the individual in a Designated Record Set except for:
a)       Psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
b)      PHI that is duplicative of what the above named TPAs/insurers maintains in a Designated Record Set.
2.       Procedures. 
a)       All such requests must be submitted to the Privacy Official in writing.
b)      The Privacy Official will take reasonable steps to verify the identity and authority of the requesting individual.
c)      The Privacy Official will deny the request with respect to any requested information that is either psychotherapy notes or compiled in anticipation of a proceeding, as described above, or any requested information that was obtained from someone other than a health care provider under a promise of confidentiality if granting the individual’s request would be reasonably likely to reveal the source of the information.  These grounds for denial are unreviewable (meaning it would go straight to court).
d)      The Privacy Official may also deny requests to inspect and/or obtain a copy of PHI if a licensed health care provider determines, in the exercise of professional judgment, that granting the request would be reasonably likely to endanger the life or physical safety of the individual or another person.  If the Plan denies a request on this basis, the denial is reviewable, as specified in the Privacy Rule, and the Privacy Official will be responsible for offering and conducting the review in compliance with the requirements of the Privacy Rule.
e)       The Privacy Official will act on written requests no later than 30 days after receipt of the request, unless the request is for PHI that is not maintained or accessible to the Plan on site, in which case the Privacy Official will act on the request within 60 days after receipt.  If the Privacy Official is unable to take action within the 30 or 60 days, as applicable, the Privacy Official may extend the time by no more than 30 additional days by providing the individual with a written statement of the reasons for the delay and date by which the Privacy Official will act on the request.
f)       If the request is denied, the Privacy Official will provide a timely, written denial in plain language to the individual, containing: the basis for the denial, if applicable; the individual’s review rights; and a description of how the individual may complain to the Plan or to the Secretary of Health and Human Services.
g)      If the request is granted, the Privacy Official will provide the individual with access to the PHI in the form or format requested by the individual, unless it is not readily producible in such form or format, in which case the Privacy will provide access in a readable hard copy format or other format agreed to by the individual.
h)      The Privacy Official may provide the individual with a summary of the requested PHI instead of providing access to the requested PHI, or may provide an explanation of the PHI to which access has been provided, if: (a) the individual agrees in advance to such a summary or explanation; and (b) the individual agrees in advance to the fees imposed, if any, by the Plan for such summary or explanation.
i)        If the individual requests copies of the information, or agrees to a summary or explanation of the information, the Plan may charge a reasonable fee for the costs (including copying, postage, supplies and labor) of complying with the request, as determined by the Privacy Official.

 

B.   The Right to Amend PHI in a Designated Record Set

 

1.       Policy.  Individuals (and their Personal Representatives) will be provided the right to request that the Plan amend PHI or a record about them in a Designated Record Set PHI other than PHI maintained by the above named TPAs/insurers.
2.       Procedures. 
a)       All such requests must be submitted to the Privacy Official in writing and must specify the requested amendment and why the amendment is necessary.
b)      The Privacy Official will take reasonable steps to verify the identity and authority of the requesting individual.
c)      The Privacy Official will deny the request with respect to any PHI that:
i)        Was not created by the Plan, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
ii)      Is not part of the Designated Record Set;
iii)     Would not be available to inspect or copy under Section V.A. above;
iv)    Is accurate and complete.
d)      The Privacy Official will act on written requests no later than 60 days after receipt of the request, unless the Privacy Official is unable to take action within the 60 days, in which case the Privacy Official may extend the time by no more than 30 additional days by providing the individual with a written statement of the reasons for the delay and date by which the Privacy Official will act on the request.
e)       If the request is granted, the Privacy Official will:
i)        Make the appropriate amendment to the PHI or record, which at a minimum will identify the records in the Designated Record Set that are affected by the amendment and append or otherwise provide a link to the location of the amendment; 
ii)      Inform the individual that the amendment is accepted and obtain the individual’s identification of the relevant persons with which the amendment needs to be shared and agreement for the Plan to do so;
iii)     Make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the requesting individual, and other persons, including business associates, that the Plan knows have the PHI that is the subject of the amendment and that may have relied or might rely on such information to the detriment of the individual.
f)       If the request is denied, the Privacy Official will provide a timely, written denial in plain language to the individual, containing:
i)        The basis for the denial;
ii)      The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
iii)     Notification that if the individual does not submit a statement of disagreement that the individual may request that the Plan provide the individual’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the requested amendment; and
iv)    A description of how the individual may complain to the Plan or to the Secretary of Health and Human Services.
g)      Individuals may submit to the Privacy Official a statement disagreeing with the denial of all or a part of a requested amendment and the basis of such disagreement.  The Privacy Official may reasonably limit the length of such statements.
h)      If appropriate, the Privacy Official may prepare a written rebuttal to the individual’s statement of disagreement.  If the Privacy Official prepares such a rebuttal, the Privacy Official will provide a copy to the individual.
i)        The Privacy Official will, as appropriate, identify the record or PHI in the Designated Record Set that is the subject of a disputed amendment and append or otherwise link the individual’s request for an amendment, the Plan’s denial, the individual’s statement of disagreement, if any, and the Plan’s rebuttal, if any, to the Designated Record Set.
j)        If a statement of disagreement has been provided by the individual to the Privacy Official, the Privacy Official will take appropriate steps to ensure that the items described in subsection (h) above—or at the Privacy Official’s election, an accurate summary of such items—are included in any subsequent disclosures of the PHI that is the subject of the dispute.  If a statement of disagreement has not been provided, the Privacy Official will only include the request for amendment and the Plan’s denial (or at the Privacy Official’s election, an accurate summary of such items) if the individual has requested the Plan to do so.
k)      The Privacy Official will keep an accurate record of all requests for amendment and related communications and other materials generated or provided in the course of responding to such requests.

 

C.     The Right to an Accounting of Disclosures

 

1.       Policy.  Individuals (and their Personal Representatives) will be provided the right to an accounting of disclosures of PHI made by the Plan about them in the six years prior to the date on which the accounting is requested, except for disclosures:
a)       To carry out treatment, payment and health care operations, as defined in the Privacy Rule;
b)      To the individual, or their Personal Representative, of PHI about the individual;
c)      Incident to a use or disclosure otherwise permitted or required by the Privacy Rule;
d)      Pursuant to an authorization by the individual or their Personal Representative;
e)       For national security or intelligence purposes;
f)       To correctional institutions or law enforcement officials;
g)      Made by above named TPAs/insurers; or
h)      That occurred prior to April 14, 2004.

 

2.       Procedures. 
a)       All such requests must be submitted to the Privacy Official and should specify the period for which the accounting is requested (which may not exceed the six years prior to the date of the request or be for any period before April 14, 2004).
b)      The Privacy Official will take reasonable steps to verify the identity and authority of the requesting individual.
c)      The Privacy Official will act on requests no later than 60 days after receipt of the request, unless the Privacy Official is unable to take action within the 60 days, in which case the Privacy Official may extend the time by no more than 30 additional days by providing the individual with a written statement of the reasons for the delay and date by which the Privacy Official will act on the request.
d)      The Privacy Official will provide the requesting individual with a written accounting of any disclosures during the period covered by the accounting that are not excepted under Section V.C.1 above.  The accounting will include, for each disclosure:
i)        The date of the disclosure;
ii)      The name of the entity or person who received the PHI and, if known, the address of such entity or person;
iii)     A brief description of the PHI disclosed; and
iv)    A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.
e)       The Plan will provide the first accounting to an individual in any 12-month period without charge.  The Plan will provide a reasonable, cost-based fee for each subsequent request for an accounting by the individual within the 12-month period.  The Privacy Official will inform the individual in advance of any applicable fee and provide the individual with an opportunity to withdraw or modify the request in order to avoid or reduce the applicable fee.
f)       The Privacy Official will document and retain the necessary information related to each disclosure of PHI made by the Plan that is subject to accounting under these policies and procedures.  The Privacy Official will also document and retain a record of all accountings that are provided to individuals.

 

D.     The Right to Request a Restriction of Uses and Disclosures

 

1.       Policy. 
a)       Individuals (and their Personal Representatives) will be provided the right to request that the Plan restrict its uses and disclosures of the individual’s PHI in carrying out treatment, payment or health care operations or request that the Plan restrict its disclosures of the individual’s PHI to family members, other relatives or close personal friends in certain situations, as allowed by the Privacy Rule. 
b)      The Plan is not required to agree to any requested restriction. 
c)      If the Plan does agree to a restriction, it may not use or disclose the PHI in violation of the restriction except that, if the individual who requested the restriction is in need of emergency treatment and the restricted PHI if needed to provide the emergency treatment, the Plan may disclose the PHI to a health care provider to provide such treatment to the individual with the request that the health care provider not further use or disclose the information.
d)      Restrictions do not prevent the Plan from disclosures to the Secretary of HHS and uses and disclosures for which an authorization or an opportunity to agree or object are not required under the Privacy Rule.
e)       The Plan may terminate its agreement to a restriction if the individual agrees to or requests the termination in writing, the individual orally agrees to the termination and the oral agreement is documented, or the Plan informs the individual that it is terminating its agreement to a restriction, effective for any PHI created or received after it has informed the individual
2.       Procedures. 
a)       All such requests must be submitted to the Privacy Official and should specify the exact nature of the requested restriction.
b)      The Privacy Official will take reasonable steps to verify the identity and authority of the requesting individual.
c)      The Privacy Official will promptly consider and respond to requests in accordance with the policy outlined above.  The Privacy Official will coordinate the consideration and response to any such requests with the above named TPAs/insurers to the extent the request involves use or disclosures made by either of them.   If the Plan agrees to a restriction, the Privacy Official will document the restriction and promptly communicate the restriction to any Business Associates affected by the restriction.

 

E.      The Right to Request Confidential Communications

 

1.       Policy. 
a)       Individuals (and their Personal Representatives) will be provided the right to request that the Plan communicate PHI to them by alternative means or at alternative locations. 
b)      The Plan will accommodate reasonable requests if the individual clearly states that the disclosure of all or part of the applicable PHI using the usual means or at the usual location would endanger the individual. 
2.       Procedures. 
a)       All requests for confidential communications must be submitted in writing and must include:

i)     Specification of an alternative address or other method of contact;

ii)   When appropriate, information as to how payment, if any, will be handled; and

iii)  A statement that disclosure of all or part of the applicable PHI using the usual means or at the usual location would endanger the individual.

b)      The Privacy Official will take reasonable steps to verify the identity and authority of the requesting individual.
c)      The Privacy Official will promptly consider and respond to requests in accordance with the policy and procedures outlined above. The Privacy Official will coordinate the consideration and response to any such requests with the above named TPAs/insurers to the extent the request involves disclosures made by them.  If the Plan agrees to a restriction, the Privacy Official will document the restriction and promptly communicate the restriction to any Business Associates affected by the restriction.

 

Section VI—Compliance

 

A.     Notice of Privacy Practices

 

1.       Policy.  The Plan will provide to each employee covered by the Plan a Notice of Privacy Practices (the "Notice"), and otherwise make the Notice available, in compliance with the requirements of the Privacy Rule.

 

2.            Procedure. 

     

a)       The Privacy Official will be responsible for developing and maintaining the Notice, and will ensure that it contains the elements required by the Privacy Rule.

 

b)      The Notice will be delivered to all participating employees:

i)        No later than April 14, 2004;

ii)      On an ongoing basis, at the time of an employee’s enrollment in the Plan; and

iii)     Within 60 days after a material change to the Notice.

 

c)      No less frequently than once every three years, the Plan will notify covered employees of the availability of the Notice and how to obtain the Notice.

 

B.      Training

 

The Plan will train all members of its workforce—the classes of employees identified in Section III.H.3.a. above—on the requirements of the Privacy Rule and these policies and procedures, as necessary to permit them to carry out the Plan functions they perform.  The Privacy Official will oversee this process, including the development of training materials and the provision of the training. 

 

C.     Complaints

 

1.       Policy.  The Plan is committed to full compliance with all of its obligations under the Privacy Rule.  All Plan participants or other affected individuals are encouraged to file a complaint with the Privacy Official if they have reason to believe that the Plan has violated any aspect of the Privacy Rule.  The Plan will promptly investigate and respond to all such complaints, and will not penalize or retaliate against anyone for filing a complaint.

2.            Procedure.  All complaints should be in writing, and submitted to the Plan’s Privacy Official:

 

 

Assistant City Manager/Management Services Director

Layton City Corporation

437 N. Wasatch Drive

Layton, UT  84041

     

      The Privacy Official will: a) promptly and thoroughly investigate the complaint; b) respond to the complaining individual within 30 days of receiving the complaint; and c) take any corrective action that is necessary or warranted by the Privacy Official’s investigation, including steps to mitigate, to the extent practicable, any harmful effect of any confirmed violation of the Privacy Rule. 

 

Individuals may also file a complaint with the Office of Civil Rights, U.S. Department of Health and Human Services (OCR).  Complaints with OCR must: be in writing, either in paper or electronically; name the underlying plan and describe the act or omission believed to be in violation of the Privacy Rule; and be filed within 180 days after the alleged act or omission occurred.

 

D.     Mitigation

 

1.       Policy.  The Plan must mitigate, to the extent practicable, any harmful effect known that is known to the Plan of a use or disclosure of PHI by the Plan in violation of the Privacy Rule.

2.            Procedure.  Any Plan representative, including Business Associates, who becomes aware of an actual or potential violation of these policies and procedures or other aspect of the Privacy Rule by the Plan or its representatives must immediately report it to the Plan’s Privacy Official.  The Privacy Official will: a) thoroughly investigate the underlying facts and if a violation is confirmed take immediate steps to mitigate, to the extent practicable, any harmful effect of such violation. 

 

E.      Disciplinary Action

 

1.       Policy.  It is critical that all Plan representatives, including Business Associates, comply with these policies and procedures.  Violations will result in disciplinary action, which may include the termination of employment, or the termination of the Business Associate relationship, as applicable.

2.            Procedure.  With respect to Plan representatives who are also employees of the Plan Sponsor, unintentional violations will generally be resolved through progressive discipline, in accordance with City procedures.  Depending on the severity, intentional violations will generally be resolved by either a suspension without pay, or immediate termination of employment.  Despite these generalizations, the Plan Sponsor reserves full discretion to discipline employees as it deems appropriate, in compliance with its related employment policies and procedures.

 

F.      Documentation

 

1.       Policy.  The Plan will maintain each of the following documentation items for six years from the date of its creation or the date when it last was in effect, whichever is later:

a)       These written Policies and Procedures;

b)      All Plan written privacy communications, e.g., the Notice of Privacy Practices, and responses to requests regarding individual rights;

c)      Authorizations from individuals; and

d)      A record of any other actions, activities and designations that are required to be documented by the Privacy Rule.

 

2.            Procedure.  The Privacy Official is responsible for maintaining these records.

 

G.     Access

 

The Plan will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining the Plan’s compliance with the Privacy Rule.

 

Section VII—No Retaliation or Waiver

 

A.     Plan representatives may not intimidate, threaten, coerce, discriminate against, or take other retaliatory actions against:

 

1.       Any Individual for exercising any right under the Privacy Rule or participating in any process established by the Privacy Rule; and

 

2.       Any Individual or other person for: filing a complaint under the Privacy Rule; testifying, participating or assisting in an investigation, compliance review, proceeding or hearing under the Privacy Rule; or opposing any act or practice made unlawful by the Privacy Rule, provided that the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Rule.

 

B.      Plan representatives may not require individuals to waive any of their rights under the Privacy Rule as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

 

 

Section VIII—Plan Sponsor Employment Records

 

The employment and workforce records of the Plan Sponsor will be maintained in a confidential manner in accordance with city policy; however, because they are not created or maintained by a Covered Entity (the Plan), they are specifically excluded from the definition of Protected Health Information and are not covered under the Privacy Rule.  These records include but are not limited to, the following:
·         Personnel file records, including applications for employment, disciplinary action records, and laboratory, radiology, or other health related tests required as a condition of employment;
·         Return-to-work, Workers Compensation, or other documents relating to work-related injury or illness;
·         Documents generated or maintained as part of the City’s obligations under the ADA or FMLA;
·         Documents generated or maintained under non-health benefit plans, e.g., life or disability plans;
·         Employer-ordered substance abuse test results;
·         Other employment (not Plan) records maintained in the City’s Human Resources Division.

 

 

 

Enacted, 12/10/2004
Amended, 12/28/2004, Previous Policy 1103
Amended, 7/30/2012, Previous Policy 1113
 




 
 
Index Contact Us Site Credits Privacy and Security Statement
Top